Is it possible to identify and block requests from bots/scripts?

[ADringer]

Hi all,

We're running a Blazor app with BFF along with Identity Server as a separate service.

We've noticed an increase in traffic and have narrowed it down to people running automated scripts to handle the log in to get a session, and then calling subsequent apis via the BFF. I've identified one of these as using aiohttp & asyncio (I myself am not familiar with python) to automate this. Is there anyway of knowing and blocking these requests? Some user agent headers are axios, but some has been changed to match Chrome. I was initially under the assumption that the BFF could only be used via a browser, but I assume that's incorrect, unless I've missed some config?

Thanks!

[wcabus]

Duende.BFF is merely an SDK that turns an ASP.NET Core Web Application into a web host capable of acting as a Backend-For-Frontend. So in the end, not only browsers can indeed attempt to gain access, but as you've encountered, bots and scripts can do the same. You can easily test this from a shell by running a curl, wget or Invoke-WebRequest command, depending on the type of shell and operation system.

Detecting and preventing access from scripts or bots isn't a task for the BFF SDK, but rather a task for custom middleware on the ASP.NET Core side. While this blog post is written for Duende IdentityServer, you can use it as a guideline to apply rate limiting to your BFF host to still allow some use, or completely deny them to reach the BFF endpoints entirely.